Popular Chinese file-sharing application SHAREit has severe security vulnerabilities, some of which can be abused by nefarious actors to leak sensitive data from impacted devices. The flaws could also allow attackers to execute arbitrary code using the app’s permissions with a malicious code or modified installation files. These findings are part of a recent report by security firm, Trend Micro.
SHAREit was one of the 59 Chinese mobile apps that were banned by the Indian government in June last year as part of the first wave of bans. The official explanation was that the apps were found to be jeopardising the privacy of Indian users and the data sovereignty of India.
While the government hadn’t substantiated the reasons further, the recent report by Trend Micro should offer users some understanding of the potential security risks associated with at least one of the banned apps. That does not, however, mean that this vulnerability is the reason for the ban in India.
As a file-sharing app, SHAREit would require one to provide several permissions such as reading your storage, access to your camera and microphone, even your location.
The report says that SHAREit’s vulnerabilities could potentially lead to remote code execution (RCE). In this type of vulnerability, an attacker is able to run code of their choosing with system-level privileges on a server that possesses the appropriate weakness.
“In the past, vulnerabilities that can be used to download and steal files from users’ devices have also been associated with the app. While the app allows the transfer and download of various file types, such as Android Package (APK), the vulnerabilities related to these features are most likely unintended flaws,” says the report.
Besides file-sharing, SHAREit had added videos as an engagement feature in 2019 with partnerships with third-party content providers as well as OTT platforms and TV channels such as Hotstar, Viacom and Airtel Wynk among others.
Among the over 250 Chinese apps banned in India, several have been accused of sending data of Indian users offshore, a primary reason cited ahead of their ban in the country. Various other reports by cybersecurity firms have also detailed that the several Chinese apps which were popular in India, including TikTok and SHAREit, would seek excessive information from users, a lot of which wasn’t essential to their functionality.
Notably, Indian startups and their web applications can’t boast of a more robust cybersecurity posture, as a spate of data breaches in the past few years have evidenced.